If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Penetration testing from the inside (revisited)

The other day, our corporate person in charge of loss prevention came by for a couple day analysis of our store. Earlier, when I first reported my findings on the company computer network, I was told to report to this guy. I did, but he never replied. This was my chance to get him in person. I told my manager that I needed to speak with him, and she said it was a good idea, but that he was in a conference call and probably wouldn't have time. He had his laptop set up in our back office, next to my primary "network access workstation" (my "0wn3d" computer...). When he stepped out to take a leak or something, I went in. He had his laptop logged out.

I went over to the other computer and used my method to get a command prompt (see above link for explaination...). I did a "net view" to see if he was on the network under a netbios name, and he was. I then did a "net send" and sent him a "Hail the Loss Prevention Person" message. It wouldn't show up until after he logged back in...so I stepped back outside the office and continued my work.

Not ten minutes later, I hear a "How'd ya do that, ya little hacker?" Offending? Maybe. He and I mean different things when we say the word. I offered to explain how, and he nodded. I went back into the office and, without a word, went through my trick of getting a command line. "You delved into the E: drive," he says. Actually, no I didn't, numbnuts, I was in the C: drive...(If you're reading this John, don't fire me). Then I typed "explorer Z:" and showed him where I could, "in theory" get the password for the VNC servers all around the network. Before I told him that I already had it, and could get on his laptop or anyone else's on the network, he said, "You shouldn't even be on this computer. It's to check benefits only." That was a contradiction in itself. We can't be on it, but we can. Never mind the fact that it's next to our normal terminals... and that it's always on and never logged out... and that the default page is the corporate website, which has employee manuals and open positions.. never mind that... I shouldn't be on the "Employee Computer". I quickly shut my mouth about the rest of what I'd found, like the fact that I printed off the password list from the kiosk on the sales floor...

The funny part is that instead of saying, "We'll fix it", or "I'll bring it up at the next board meeting", he says, "You shouldn't be on there." Do you think that anyone else who would be doing what I was doing would have "permission" either? Since when does a cracker have authorization to exploit a system. Granted, I am an exception, along with all the inside-exploiters... but I still don't think it makes any sense. He could have at least humored me and said "We'll see what we can do."

So it all comes down to how content you are in your current position . . .

We have all been in situations where no-one would listen to us while you know there is a problem.. but noone else sees it..
I can't give you any help on the moral dillema of how to handle this.. although I'd advice the letter

ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !

SDK: Don't forget to copy it to your personnel file and have a copy notarized and placed in a secure place away from work...... Then it all becomes official.

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Doing an non-sanctioned hack of the systems is a very stupid idea. You are far more likely to get legal action taken against you than anything else. Especially given the way that the security guy reacted to you in the first place. You need to get your facts straight, write them down with easy to repro steps, and elevate it to his boss and so on up the chain until someone listens.

Use your common sense and cover your ass. Don't listen to these 'hack them yourself' twits....it's not their butt on the line when you are forced to pack your stuff and possibly get jail time. And it is quite possible that it will happen...look at Randal Schwartz.

"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chshBlog of X

Originally posted here by SDK Safe Way :Complain to your boss by Email (Or Letter)

Dangerous Way : Hack the system administrator, IT Director and in last case, VP and President One of them will react!

I've complained to my boss - both in person and email. I've informed other offices. For the first one I told them about, I got $50 and a thank you letter (came later after my other posts, I think). The effect of the letter was "Thank you, we'll fix it. Keep up the good work."

So if they appreciated my first find, and rewarded me for it, then why wouldn't they let me help them out, especially when this is sooo much bigger?